Add nnd-nft nftables base
This commit is contained in:
parent
68c0b5a035
commit
945426edd4
|
@ -0,0 +1,15 @@
|
|||
pkgname="${startdir##*/}" # Usually the package name is the same as the directory
|
||||
pkgver="$(date +'%Y.%m.%d')" # Use current date as fallback
|
||||
url="https://git.redxen.eu/nnd" # Upstream for package info
|
||||
arch="noarch" # Most things aren't arch specific
|
||||
license="none" # Can you even license configs?
|
||||
options="!check" # Usually software doesn't provide tests
|
||||
builddir="$srcdir" #
|
||||
|
||||
_replace() {
|
||||
sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
|
||||
}
|
||||
|
||||
_cpkgdir() {
|
||||
echo "${subpkgdir:-${pkgdir}}"
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
|
||||
. ../../APKBUILD.template
|
||||
|
||||
pkgrel=0
|
||||
pkgdesc="Basic generic nftables template"
|
||||
options="!check" # check requires root?
|
||||
|
||||
check() {
|
||||
msg "Checking if commands are valid"
|
||||
nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
|
||||
}
|
||||
|
||||
prepare() {
|
||||
default_prepare
|
||||
|
||||
cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
|
||||
}
|
||||
|
||||
package() {
|
||||
mkdir -p "$pkgdir"/etc/nnd
|
||||
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
ip saddr 172.24.0.0/24 oifname "eth0" counter accept;
|
||||
iifname "eth0" ip daddr 172.24.0.0/24 counter accept;
|
|
@ -0,0 +1,3 @@
|
|||
iifname "rxmain" oifname "rxmain" counter accept;
|
||||
iifname "rxmain" oifname "eth0" counter accept;
|
||||
iifname "eth0" oifname "rxmain" counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport { 143, 993 } counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport { 80, 443, 2442 } counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 64738 counter accept;
|
||||
udp dport 64738 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 22 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport { 25, 465, 587 } counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 51413 counter accept;
|
||||
udp dport 51413 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 7777 counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 53 counter accept;
|
||||
udp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
|||
udp dport 51820 counter accept;
|
|
@ -0,0 +1 @@
|
|||
udp dport 26000 counter accept;
|
|
@ -0,0 +1,3 @@
|
|||
# Ban if connection attempts are still made over the limit
|
||||
ct state new meter ban4 { ip saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip saddr timeout 1h } counter reject;
|
||||
ct state new meter ban6 { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
|
|
@ -0,0 +1,2 @@
|
|||
ip daddr @blackhole4 counter reject;
|
||||
ip6 daddr @blackhole6 counter reject;
|
|
@ -0,0 +1 @@
|
|||
oifname "eth0" ip saddr 172.24.0.0/24 counter masquerade; # SNAT MASQUERADE v4
|
|
@ -0,0 +1,2 @@
|
|||
oifname "eth0" ip saddr 172.22.12.0/24 counter masquerade; # SNAT MASQUERADE v4
|
||||
oifname "eth0" ip6 saddr fd42:42:42::2:0/120 counter masquerade; # v6
|
|
@ -0,0 +1,43 @@
|
|||
table inet nnd-base {
|
||||
chain rxfilter {
|
||||
type filter hook input priority 0;
|
||||
policy reject;
|
||||
|
||||
ct state invalid counter drop;
|
||||
icmpx counter accept;
|
||||
|
||||
include "inet/nnd-base/filter/input/*";
|
||||
counter reject with icmpx type admin-prohibited;
|
||||
}
|
||||
chain fwfilter {
|
||||
type filter hook forward priority 0;
|
||||
policy reject;
|
||||
include "inet/nnd-base/filter/forward/*";
|
||||
counter reject with icmpx type no-route;
|
||||
}
|
||||
chain txfilter {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
include "inet/nnd-base/filter/output/*";
|
||||
}
|
||||
chain prenat {
|
||||
type nat hook prerouting priority -100;
|
||||
policy accept;
|
||||
include "inet/nnd-base/nat/prerouting/*";
|
||||
}
|
||||
chain rxnat {
|
||||
type nat hook input priority 100;
|
||||
policy accept;
|
||||
include "inet/nnd-base/nat/input/*";
|
||||
}
|
||||
chain txnat {
|
||||
type nat hook output priority -100;
|
||||
policy accept;
|
||||
include "inet/nnd-base/nat/output/*";
|
||||
}
|
||||
chain postnat {
|
||||
type nat hook postrouting priority 100;
|
||||
policy accept;
|
||||
include "inet/nnd-base/nat/postrouting/*";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset;
|
||||
|
||||
include "*/*/table";
|
Loading…
Reference in New Issue